QUIC connection error

Hi, we are currently implementing below method for a quick POC in iOS (Xcode 15.3/macOS Sonoma 14.0):

func startQUICConnection() async {
        // Set the initial stream to bidirectional.
        options.direction = .bidirectional
       
        self.mainConn?.stateUpdateHandler = { [weak self] state in
            print("Main Connection State: \(state)")
            switch state {
            case .ready:
                print("Ready...")
            default:
                break
            }
        }
        // Don't forget to start the connection.
        self.mainConn?.start(queue: self.queue)
    }

This is what we have in the initializer of the class:

parameters = NWParameters(quic: options)
mainConn = NWConnection(to: endpoint, using: parameters)

These are the class's properties:

    let endpoint = NWEndpoint.hostPort(host: "0.0.0.0", port: .init(integerLiteral: 6667))
    let options =  NWProtocolQUIC.Options(alpn: ["echo"])
    let queue = DispatchQueue(label: "quic", qos: .userInteractive)
    var mainConn: NWConnection? = nil
    let parameters: NWParameters!

As per the logs, we never get to the .ready state for the NWConnection.

Logs:

nw_path_evaluator_create_flow_inner failed NECP_CLIENT_ACTION_ADD_FLOW (null) evaluator parameters: quic, attach protocol listener, attribution: developer, context: Default Network Context (private), proc: 022B7C28-0271-3628-8E5E-26B590B50E5B

nw_path_evaluator_create_flow_inner NECP_CLIENT_ACTION_ADD_FLOW 8FEBF750-979D-437F-B4A8-FB71F4C5A882 [22: Invalid argument]
nw_endpoint_flow_setup_channel [C2 0.0.0.0:6667 in_progress channel-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] failed to request add nexus flow

Main Connection State: preparing
Main Connection State: waiting(POSIXErrorCode(rawValue: 22): Invalid argument)

We're running a local server using proxygen on port 6667. It connects with the proxygen client though...

Have tried several thing but results are the same.

Answered by palfonso in 782886022

Changing the host to 127.0.0.1, seems to solve the POSIXError 22.

Getting these logs now:

boringssl_session_handshake_incomplete(210) [C3:1][0x10463d380] SSL library error
boringssl_session_handshake_error_print(44) [C3:1][0x10463d380] Error: 4375179344:error:10000133:SSL routines:OPENSSL_internal:reason(307):/Library/Caches/com.apple.xbs/Sources/boringssl/ssl/extensions.cc:1433:
boringssl_session_handshake_error_print(44) [C3:1][0x10463d380] Error: 4375179344:error:10000093:SSL routines:OPENSSL_internal:ERROR_ADDING_EXTENSION:/Library/Caches/com.apple.xbs/Sources/boringssl/ssl/extensions.cc:3892:extension 16
quic_crypto_connection_state_handler [C2:1] [-7b9638dc5ec49cb9] TLS error -9858 (state failed)
nw_connection_copy_connected_local_endpoint_block_invoke [C3] Client called nw_connection_copy_connected_local_endpoint on unconnected nw_connection
nw_connection_copy_connected_remote_endpoint_block_invoke [C3] Client called nw_connection_copy_connected_remote_endpoint on unconnected nw_connection
nw_connection_copy_protocol_metadata_internal_block_invoke [C3] Client called nw_connection_copy_protocol_metadata_internal on unconnected nw_connection
Main Connection State: waiting(-9858: handshake failed)

If we connect via openssl openssl s_client -connect 127.0.0.1:6667 -tls1_3, this is the output:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
   i:C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  8 06:59:00 2019 GMT; NotAfter: May  5 06:59:00 2029 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<some_certificate>
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ..
issuer=C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2319 bytes and written 289 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 8C3CC90C4E4C1EA2A464C8026A082617B9DDEB4E3C5390AD1209B1E7699A3B3F
    Session-ID-ctx: 
    Resumption PSK: AE68BFE7F82ADB67D17B4838CE8C3E9231A25F1E880068B667CA44554276258C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
   
    Start Time: 1710478613
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---

So we added below lines to the startQUICConnection method, in order to use cypher TLS_CHACHA20_POLY1305_SHA256 along with TLS v1.3 as reported by openssl:

sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv13)
sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13)
sec_protocol_options_append_tls_ciphersuite(options.securityProtocolOptions, tls_ciphersuite_t(rawValue: TLS_PSK_WITH_CHACHA20_POLY1305_SHA256)!)

Now, what's the meaning of SSL routines:OPENSSL_internal:ERROR_ADDING_EXTENSION and how to solve it?

Accepted Answer

Changing the host to 127.0.0.1, seems to solve the POSIXError 22.

Getting these logs now:

boringssl_session_handshake_incomplete(210) [C3:1][0x10463d380] SSL library error
boringssl_session_handshake_error_print(44) [C3:1][0x10463d380] Error: 4375179344:error:10000133:SSL routines:OPENSSL_internal:reason(307):/Library/Caches/com.apple.xbs/Sources/boringssl/ssl/extensions.cc:1433:
boringssl_session_handshake_error_print(44) [C3:1][0x10463d380] Error: 4375179344:error:10000093:SSL routines:OPENSSL_internal:ERROR_ADDING_EXTENSION:/Library/Caches/com.apple.xbs/Sources/boringssl/ssl/extensions.cc:3892:extension 16
quic_crypto_connection_state_handler [C2:1] [-7b9638dc5ec49cb9] TLS error -9858 (state failed)
nw_connection_copy_connected_local_endpoint_block_invoke [C3] Client called nw_connection_copy_connected_local_endpoint on unconnected nw_connection
nw_connection_copy_connected_remote_endpoint_block_invoke [C3] Client called nw_connection_copy_connected_remote_endpoint on unconnected nw_connection
nw_connection_copy_protocol_metadata_internal_block_invoke [C3] Client called nw_connection_copy_protocol_metadata_internal on unconnected nw_connection
Main Connection State: waiting(-9858: handshake failed)

If we connect via openssl openssl s_client -connect 127.0.0.1:6667 -tls1_3, this is the output:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
   i:C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  8 06:59:00 2019 GMT; NotAfter: May  5 06:59:00 2029 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<some_certificate>
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ..
issuer=C = US, ST = California, L = Menlo Park, O = Proxygen, OU = Proxygen, CN = Proxygen, emailAddress = ...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2319 bytes and written 289 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 8C3CC90C4E4C1EA2A464C8026A082617B9DDEB4E3C5390AD1209B1E7699A3B3F
    Session-ID-ctx: 
    Resumption PSK: AE68BFE7F82ADB67D17B4838CE8C3E9231A25F1E880068B667CA44554276258C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
   
    Start Time: 1710478613
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---

So we added below lines to the startQUICConnection method, in order to use cypher TLS_CHACHA20_POLY1305_SHA256 along with TLS v1.3 as reported by openssl:

sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv13)
sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13)
sec_protocol_options_append_tls_ciphersuite(options.securityProtocolOptions, tls_ciphersuite_t(rawValue: TLS_PSK_WITH_CHACHA20_POLY1305_SHA256)!)

Now, what's the meaning of SSL routines:OPENSSL_internal:ERROR_ADDING_EXTENSION and how to solve it?

QUIC connection error
 
 
Q